Re: Is Request Tracker broken?
On Tue, May 03, 2005 at 05:19:06PM -0700, Doug Kaufman wrote: On Tue, 3 May 2005, Lutz Jaenicke wrote: New submissions are moderated. I have been on vacation and I did mess up to correctly hand over to another team member. Thanks for all your work on this. I had assumed that it was all automated. The openssl-bugs@openssl.org and [EMAIL PROTECTED] addresses are well known in SPAM databases so some moderation must take place to keep this thing useful... [personal comment on SPAM deleted] Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Is Request Tracker broken?
On Sat, Apr 30, 2005 at 11:58:34AM -0700, Doug Kaufman wrote: I sent a message to the request tracker on 24 April. Normally I expect a request number to be assigned and a copy of the email (with attachments stripped) to be forwarded to openssl-dev. None of that has happened yet. Nothing bounced back to me. I assume that people are waiting for a number to be assigned before replying, so that it will be archived properly in rt. A copy of the message follows (I had cc'd to openssl-dev). New submissions are moderated. I have been on vacation and I did mess up to correctly hand over to another team member. Sorry for any inconvenience caused, Lutz On Sun, 24 Apr 2005, Doug Kaufman wrote: Date: Sun, 24 Apr 2005 15:08:14 -0700 (PDT) From: Doug Kaufman [EMAIL PROTECTED] Reply-To: openssl-dev@openssl.org To: [EMAIL PROTECTED] Cc: openssl-dev@openssl.org Subject: SSL_CTX_set_default_paths There doesn't seem to be any documentation in the .pod files of the SSL_CTX_set_default_paths function or of the environment variables SSL_CERT_FILE and SSL_CERT_DIR which can change the value it returns. This came up recently in discussion on the wget list. The wget file retriever does not use the defaults (instead specifying the location of the trusted certificate each time on the command line), and the developers were not familiar with this function to set the default paths. Is the lack of documentation an oversight (or on the to-do list), or is use of the default paths deprecated? There was some hesitancy on the wget list to use an openssl function that doesn't seem to have documentation. This has affected other applications also. The curl file retriever sets its own default locations (also related to the developers having been unfamiliar with the function when its ssl code was written). The lynx browser does use SSL_CTX_set_default_paths. I am not sure what other applications which link to the openssl library do. Can anyone comment on the status of SSL_CTX_set_default paths and the associated functions (X509_STORE_set_default_paths, X509_LOOKUP_file, X509_LOOKUP_hash_dir, by_file_ctrl, X509_get_default_file_cert_env, X509_get_default_cert_dir_env and dir_ctrl)? Also, the function dir_ctrl in crypto/x509/by_dir.c looks wrong to me. Shouldn't it be checking for the environment variable first, then getting the default if no environment variable is specified (the way by_file_ctrl does in crypto/x509/by_file.c)? Sorry if I am misreading what that function is doing. The code looks the same in 0.9.7 and 0.9.8. Doug -- Doug Kaufman Internet: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Request Tracker - 403 Forbidden
On Fri, Apr 22, 2005 at 12:56:27PM +0200, Gyorgy Camaszotisz wrote: Hi folks, I cannot reach the Request Tracker as listed on the support page ... http://www.aet.tu-cottbus.de/rt2/ returns 403 Forbidden, without even asking for credentials. Is it just me, or something happened with this location? We had a hard disk problem that seems to be resolved now. Please excuse any inconvenience, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1014] prngd/egd interface hard loops eating CPU if descriptor closes
[EMAIL PROTECTED] - Sat Feb 19 11:06:08 2005]: Hi. We had a report of sshd looping and eating CPU under some conditions (reference below). The original report was on Solaris 8, we had other on HP-UX 11.11 and I have reproduced it on HP-UX 11.00. It can probably occur on any platform using egd or prngd for entropy. The cause of the CPU utilization appears to be a bug in OpenSSL's egd/prngd interface. It seems that when reading from prngd, the read loop does not test for a return of zero indicating the descriptor has closed, and will retry the read() ad infinitum if that happens. At this time, I am not sure why/how the descriptor ends up closed, however I have found a way to reproduce the problem at will. Thanks, your patch to OpenSSL is obviously correct. (That will still leave the issue of PRNGD not working correctly, but this is not an OpenSSL problem :-) Patch applied to OpenSSL 0.9.7-stable (to become 0.9.7f) and openssl-dev Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1010] Bug report: Typo in blowfish manual page
[EMAIL PROTECTED] - Wed Feb 16 19:43:23 2005]: There is a typo in openssl/doc/crypto/blowfish.pod in your CVS repository. Please see the attached diff. Patch applied. Thanks, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Socket layer and OpenSsl
On Tue, Jan 18, 2005 at 06:45:11AM -0800, Prashant Kumar wrote: Hello Group, In the project I am working on, we are trying to use OpenSsl in the non blocking mode. However, we want to avoid using the BSD select call and also may have to modify the read/send, write/receive calls. Basically, we want to modify the socket library to achieve our scaling requirements. Did anyone try to use openssl in such an environment ?. Is there any example ? Have a look into the BIO-pair method. Example is in the Postfix/TLS code, available from my homepage (patch) or from latest Postfix non-productive snapshots. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Correspondence not recorded (fwd)
On Sat, Aug 07, 2004 at 12:04:16AM -0700, Doug Kaufman wrote: My revised patch was rejected again by rt with the following message. I removed the attachment, since it already has gone to this list. I am doing something wrong with rt, or is rt having problems? I have been playing around with the permission settings to improve SPAM handling. I would be most please if you would re-send your submission and report if the problem still persists. Regards, Lutz Doug -- Doug Kaufman Internet: [EMAIL PROTECTED] -- Forwarded message -- Date: Sat, 7 Aug 2004 08:52:08 +0200 (METDST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Correspondence not recorded Permission Denied __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #901] INVESTMENT
On Sat, Jun 26, 2004 at 10:23:52AM +0200, preston6000 via RT wrote: My name is PRESTON ENAGUA, the eldest son of Dr.MEAIZENA ENAGUA from Zimbabwe. This letter might come as a surprise to you about where I got your contact address and how I knew you. I got your address from the net, and i decided to contact you for an assistant, which I do hope you will take this matter into consideration. Anti-SPAM measures have been updated. Sorry for this one slipping through... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #834] openssl smime -encrypt ... -aes256 planned?
On Wed, Feb 25, 2004 at 09:46:27AM +0100, Ralf Hauser via RT wrote: Hi, http://www.openssl.org/docs/apps/smime.html# offers openssl smime [-encrypt] ... [-des3] ... [-rc2-128] Are there any plans to also support -aes256 or stronger? -aes256 is supported (openssl smime help). It has just been forgotten in the manual page. (- bounced into request tracker) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: TLS session memory requirements
On Thu, Feb 12, 2004 at 08:42:39PM -0700, Sales, Randall S (Randall) wrote: Has anyone else had need to reduce TLS session memory footprint? When acting as server (Apache 2.0 running on Linux), I measure 57kB used after https session established, with peak memory use at 99kB (during establishment). A s_server/s_client TLS session shows slightly higher values. ./ssl/ssl3.h defines SSL3_RT_MAX_PLAIN_LENGTH as 16384. This #define is the basis of quite a few relatively large mallocs. Is 16384 a sacred number? What are the implications of reducing the value to 2048 or 4096? Would the change have any effect on functionality, stability, and/or performance? 16834 is part of the TLS standard: it is the largest chunk to be used for encrypted communication. You could reduce your chunk size for sending, but you have to reserve a buffer large enough for receival as your peer is still free to use the full chunk size. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl smime -rand
On Thu, Feb 12, 2004 at 12:19:44PM +0100, Michael Bell wrote: Hi, I found a problem with openssl smime -rand filename. If I specify a randfile then this file is not updated by apps/smime.c. The program calls app_RAND_write_file with a NULL pointer even if a randfile was specified. The result is that app_RAND_write_file in apps/app_rand.c tries to get a filename via RAND_file_name from crypto/rand/randfile.c. This function checks the environment variables RANDFILE and HOME or falls back to the default position. The problem is that this is a security issue because the randfile is never updated. We (OpenCA) work on a batch system and for such systems with high volumes of operations such a never changing random can be really critical - or at minimum I believe this today. A fix could look like this: OLD: if (need_rand) app_RAND_write_file(NULL, bio_err); NEW: if (need_rand) { if (inrand != NULL) app_RAND_write_file(inrand, bio_err); else app_RAND_write_file(NULL, bio_err); } If you agree that this is a bug then I forward it to rt. I tend to disagree. The randfile can be the same thing as a .rnd file, but it is actually intended to be used as a source only. Consider the case of a process run by user root that will give -rand /var/adm/syslog/syslog.log as an option. This will give quite some entropy but... Therefore ever changing entropy should be handled via .rnd file, which _is_ updated. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_get_shared_ciphers question
On Wed, Feb 04, 2004 at 02:22:49PM +0100, Jostein Tveit wrote: Lutz Jaenicke [EMAIL PROTECTED] writes: On Tue, Feb 03, 2004 at 08:41:23AM +0100, Jostein Tveit wrote: What exactly does the comment in ssl/ssl_lib.c mean: /* works well for SSLv2, not so good for SSLv3 */ char *SSL_get_shared_ciphers(SSL *s,char *buf,int len) Its part of the protocol (SSLv3, TLSv1, ...). The client sends its list of supported ciphers, based upon which the server decides which cipher to use. The server never leaks the information about the ciphers supported. Yes, I know. So the function SSL_get_shared_ciphers can only be used on the server side. What happen if you try to use it on the client side? Does it only report one common cipher? And what exactly does the comment works well for SSLv2, not so good for SSLv3 mean? As far as I know, both SSLv2 and SSLv3/TLSv1 client hello include a list with perfered ciphers. Yes, it does include the list of shared ciphers. I actually do not remember the situation for SSLv2 (which I investgated at some point in time long ago :-). But at least for SSLv3/TLSv1 the SSL_get_shared_ciphers() function will return the list sent by the client, but as it will not take care of the list actually supported by the server, it does not return the _shared_ ciphers. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #645] openssl make error
[EMAIL PROTECTED] - Wed Jan 14 14:32:32 2004]: I have the same problem, do you already have a solution? If not, and you are interessted: I`d like to work with you on this... maybe together we will find a solution... So please let us repeat the question: What version of gcc do you use? On what version of Solaris? etc, etc... __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #811] cross-platform bug in RC4 144 bits?
[EMAIL PROTECTED] - Wed Jan 14 22:17:46 2004]: I'm finding that the output from RC4 is different for Linux and Solaris once the key strength 144. However, Linux and Win32 produce the same RC4 results up to 2048 bits. I have including a short program that can reproduce the following output: When I set RC4_KEYSIZE to 152 and run the program on Linux, I get the following output: Initial:74 65 72 72 79 Encrypt:be 72 fe 4f 46 Decrypt:74 65 72 72 79 When I run it on Solaris, I get the following output: Initial:74 65 72 72 79 Encrypt:a4 1e 73 3a de Decrypt:74 65 72 72 79 On HP-UX 10.20 I get serv01 39: ./rc4 Initial:74 65 72 72 79 Encrypt:72 6d 7c 7c 61 Decrypt:74 65 72 72 79 I have hence added this report to the request tracker as it is a bug indeed. If this long keysize is supported the streams must hence match. Or it is not supported, in which case an error must be flagged. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #570] Contribution: manual page for s_time
On Mon, Jan 05, 2004 at 10:34:29AM +0100, Martin Witzel via RT wrote: Thank you, Lutz. I have two comments: The 'time' parameter is listed in the synopsis line but not among the options. It could read somewhere along the lines of Specifies how long (in seconds) s_time should establish connections and optionally transfer payload data from a server. Server and client performance and the link speed determine how many connections s_time can establish. One minor remark about the Notes section on the line which starts with would typically...: the reference to the ciphers(1) command could be made into a hyperlink. Not a mandatory request by all means, just cosmetic. And it should be ciphers(1), not cipher(1). Thanks. I have applied your changes. (Actually, the hyperlink was not created automatically due to the cipher[s] typo... Any word on the prospect of seeing the Small OpenSSL patches in the mainstream code any time soon? Sorry, no. From actual activity with respect to OpenSSL it seems, that the other OpenSSL team members are as swamped with work as I am myself... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #804] Small change to OpenSSL 0.9.7c
[EMAIL PROTECTED] - Tue Dec 30 11:32:55 2003]: Hello OpenSSL developers, While waiting for OpenSSL to compile I was looking around in the code and saw my own contribution in rand_win.c. It refers to a Microsoft URL that's no longer valid. The updated URL is in the attached patch. Thanks, changed. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #570] Contribution: manual page for s_time
[EMAIL PROTECTED] - Thu Apr 10 08:28:02 2003]: I noticed that, among other parts, the documentation of s_time has not yet been worked out. If you can use the attached *.html file as a basis for your online documentation, feel free to include it on your web page. Regards, Martin Witzel (See attached file: s_time.html) Thanks. I have added your contribution. Note: I had to massage the contents quite a bit, because we do use the POD (plain old documentation) format for manual pages (see pod2man and the actual sources in the doc/ subdirectory). I would therefore be most pleased, if you would kindly review my changes... Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #748] bug in speed.c
On Tue, Dec 09, 2003 at 07:55:32PM +0100, Kirill Kochetkov via RT wrote: type/block size in openssl speed is just buffer size for calling cbc routines. and block size is fixed for different algorithms (as 8 bytes for DES). but now I don't clear about type. Is it simply input data size and can be not only 16,64,256,1024,8192 bytes and even more? and openssl can work with files not only in memory and they can be any size? The block cipher algorithms do work in memory. It is however not necessary that the data to be handled is a power of 2. It just has to be a multiple of the block size. For DES, it can be 8, 16, 24, 32, etc. (padding is required to reach the full multiple). The algorithms themselves do work in memory, so if you have data too large to be held in memory, you have to work in chunks. In CBC (cipher block chaining mode), the IV (initial value) coming out of the last crypto operation has to be used as the starting point for the next one. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #794] BUG - BIO printf problem on HP-UX
[EMAIL PROTECTED] - Thu Dec 11 08:16:12 2003]: I have a simple program that uses the BIO printf functionality: #include stdio.h #include openssl/bio.h int main(int argc, char* argv[]) { BIO *myBio = BIO_new_fp(stdout, 0); BIO_printf(myBio, float: %.1f\n, (float) 1000.1234); return 0; } When I run this against either of our builds of 0.9.7c (or b) on HP-UX (PA and IA) the output of the above program will be float: 000.1 Note that the front part of the whole value is cut off. This does not occur on Linux. That is not correct, it does also occur on my Linux box. Anyway, the problem is not with OpenSSL but with your code. When performing printf() (variable argument list functions without a protototype to specify the particular data type), a float value will be promoted to a double and the printf formatting functions therefore expect a double value (8 byte) to be available. By casting your data explicitly to (float), only a 4 bit value is passed that is misinterpreted by the %f printing routine. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #784] Library cleanup functionality
On Wed, Dec 03, 2003 at 08:50:49AM +0100, [EMAIL PROTECTED] via RT wrote: But it never went any further than that, ie. a discussion. Please feel free to open an RT ticket about this and assign ownership to me if you like so that it doesn't slip through the cracks... It was my pleasure... Best :-) Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #513] [PATCH] Parallel make
[EMAIL PROTECTED] - Wed Feb 19 10:38:19 2003]: Parallel make, eg. make -j 7 fails now. This patch correct it. Thanks, patch applied. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #519] Migrating from 0.9.6h
[EMAIL PROTECTED] - Mon Feb 24 17:43:50 2003]: OpenSSL 0.9.7a Feb 19 2003 built on: Mon Feb 24 14:33:03 2003 platform: VC-WIN32 options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) blowfish(idx) compiler: cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAM E_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 /Fdout32dll -DOPENSSL_NO_ID EA -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_ENGINE OPENSSLDIR: /usr/local/ssl Built on Windows 2000 SP3 VC6 SP5 using the following commands: perl Configure VC-WIN32 no-engine no-rc5 no-idea no-mdc2 ms\do_ms nmake -f ms\ntdll.mak Library compiles fine. I'm migrating from 0.9.6h to 0.9.7a. I cannot find the function 'x509_free' in any header file. Is this intentional, or some kind of bug? I have to prefix the function name with '__cdecl' (calling convention directive) to make it link in my project. I cannot modify the project's defaults on this. What changes do I need to make to go from 0.9.6h to 0.9.7a? I hate to bother the dev team with such trivial matters, but I haven't found any docs hinting on how to upgrade to 0.9.7a, and the changelog didn't mention anything either. I gather there have been significant changes since 0.9.6h, but has the API changed at all? Hmm. No, the API did not change, but the implementation did. X509_free() (not the upercase X) is now implemented differently: It is a macro defined in x509.h (DECLARE_ASN1_FUNCTIONS(X509)) which itself is handled in asn1.h. The actual implementation of the code is (and was) in crypto/asn1/x_x509.c via IMPLEMENT_ASN1_FUNCTIONS(X509). So the location for the __cdecl should be... the DECLARE_ASN1_FUNCTIONS macro. This will of course cover more definitions, but as everything is written in C anyway... Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #509] about Suse
[levitte - Thu Mar 20 11:39:53 2003]: Is this still an issue, and if it is, have you tested version 0.9.7a, and does the problem still remain? If you still have problems, please send a full log of configuration and building. Thanks. No more correspondence was sent for 6 months. I therefore suppose that the problem is no longer pertinent. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #515] 0.9.7a
[EMAIL PROTECTED] - Thu Mar 20 12:01:22 2003]: I'd like to ask you to please consider fetching ftp://ftp.openssl.org/snapshot/openssl-0.9.7-stable-SNAP- 20030319.tar.gz and test it, to determine if we need to do more fixing *before* release of 0.9.7b (if possible). Otherwise, you just delay the fix (if one is needed) to 0.9.7c. No further action for more than 6 months. I assume that the bug is fixed indeed and resolve the ticket. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #735] Makefile.org rev 1.154.2.63 breaks OpenServer 5
On Fri, Nov 28, 2003 at 07:01:03AM -0800, Tim Rice wrote: On Sun, 16 Nov 2003, Lutz Jaenicke via RT wrote: [EMAIL PROTECTED] - Mon Oct 20 15:20:21 2003]: In trying to build ethier the OpenSSL_0_9_7c or OpenSSL_0_9_7-stable branch on OpenServer 5 I discovered a change to Makefile.org that caused the build to fail. [snip] If it was important to s/ASFLAGS/ASFLAG/ in Makefile.org, perhaps adding ASFLAGS= $(ASFLAG) to these makefiles would be in order. crypto/sha/Makefile.ssl crypto/ripemd/Makefile.ssl crypto/des/Makefile.ssl crypto/rc4/Makefile.ssl crypto/bf/Makefile.ssl Thanks. I have added the corresponding ASFLAGS setting to these files. Please test the next snapshot (or CVS). I must have missed these by building a striped down version. crypto/rc5/Makefile.ssl crypto/cast/Makefile.ssl Thanks, applied. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: OpenSSL_0_9_7-stable: openssl/crypto/evp/ evp_enc.c
On Mon, Dec 01, 2003 at 01:11:57PM +0100, Richard Levitte wrote: OpenSSL CVS Repository http://cvs.openssl.org/ Server: cvs.openssl.org Name: Richard Levitte Root: /e/openssl/cvs Email: [EMAIL PROTECTED] Module: openssl Date: 01-Dec-2003 13:11:57 Branch: OpenSSL_0_9_7-stable Handle: 2003120112115700 Modified files: (Branch: OpenSSL_0_9_7-stable) openssl/crypto/evp evp_enc.c Log: Check that OPENSSL_malloc() really returned some memory. PR: 751 Notified by: [EMAIL PROTECTED] Reviewed by: Lutz Jaenicke, Richard Levitte Summary: RevisionChanges Path 1.28.2.9+5 -0 openssl/crypto/evp/evp_enc.c patch -p0 '@@ .' Index: openssl/crypto/evp/evp_enc.c $ cvs diff -u -r1.28.2.8 -r1.28.2.9 evp_enc.c --- openssl/crypto/evp/evp_enc.c30 Jan 2003 17:37:44 - 1.28.2.8 +++ openssl/crypto/evp/evp_enc.c1 Dec 2003 12:11:57 - 1.28.2.9 @@ -149,6 +149,11 @@ ctx-cipher=cipher; ctx-cipher_data=OPENSSL_malloc(ctx-cipher-ctx_size); + if (!ctx-cipher_data) + { + EVPerr(EVP_F_EVP_CIPHERINIT, ERR_R_MALLOC_FAILURE); + return 0; + } ctx-key_len = cipher-key_len; ctx-flags = 0; if(ctx-cipher-flags EVP_CIPH_CTRL_INIT) @@ . Have you tested this with eNULL? I would expect the new sequence to unconditionally fail with eNULL! I was thinking about if (ctx-cipher_ctx_size) cipher_data = malloc(); else cipher_data = NULL; /* There is no key to store */ Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #782] IBM patches to OpenSSL-0.9.7c
[levitte - Mon Dec 1 13:18:42 2003]: Uh, are you sure you attached ibm.patch? I can't seem to see that patch. Yes, the patch was attached to the Mail (some 2.x MB)... I will attach a compressed version to this reply. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #778] FreeBSD 5.1: memory leak with no /dev/crypto
[EMAIL PROTECTED] - Sat Nov 22 18:26:42 2003]: --- 1055,1061 if (engine == NULL) return; if ((fd = get_dev_crypto()) 0) + ENGINE_free (engine); return; That's can't be right. Missing curly braces? /r$ Oops! You're correct, of course. I hope, however, you agree that the ENGINE_free needed to be added.-- George Mitchell Seems to be reasonable to me :-) Patch applied Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #731] Patch for Makefile.org and openssl.spec for /usr/lib/pkgconfig mode
[EMAIL PROTECTED] - Mon Oct 13 09:24:50 2003]: How do you do? I found it is impossible to create RPM packages of Openssl 0.9.7c with the openssl.spec in the source archive. There is an failure in Makefile.org. Mode of directory /usr/lib/pkgconfig is set to 0644. Thanks. The bug has already been fixed in CVS. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #726] bug report, help request...
[EMAIL PROTECTED] - Mon Oct 6 17:08:31 2003]: While running the make command to build version 9.7c, I get the following errors. My system is OpenBSD i386. Please help me fix this bug, if it is in fact a bug with OpenSSL ... des-586.s:2458: Error: Unimplemented segment type 151680 in parse_operand This problem is discussed in the OpenSSL FAQ, see point Why does OpenBSD-i386 build fail on des-586.s with Unimplemented segment type? Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #725] compile error on SunOS 4.1.4
[EMAIL PROTECTED] - Mon Oct 6 17:05:28 2003]: Hi, while upgrading to 0.9.7c on my old SunOS 4.1.4 box I am getting the following error: | making all in test... | if [ = hpux-shared -o = darwin-shared ] ; then \ | gcc -o destest -I.. -I../include -DOPENSSL_SYSNAME_SUNOS -DOPENSSL_NO_KRB5 -O3 -mv8 -Dssize_t=int destest.o ../libcrypto.a ; \ | else \ | LD_LIBRARY_PATH=..:$LD_LIBRARY_PATH \ | gcc -o destest -I.. -I../include -DOPENSSL_SYSNAME_SUNOS -DOPENSSL_NO_KRB5 -O3 -mv8 -Dssize_t=int destest.o -L.. -lcrypto ; \ | fi | ld: Undefined symbol |_memmove | collect2: ld returned 2 exit status | *** Error code 1 | make: Fatal error: Command failed for target `destest' | Current working directory /home/hmo/src/openssl-0.9.7c/test | *** Error code 1 | make: Fatal error: Command failed for target `sub_all' | Current working directory /home/hmo/src/openssl-0.9.7c | *** Error code 1 | make: Fatal error: Command failed for target `top' This error doesn't show up with 0.9.7b. The difference between both versions' test/destest.c ist minimal and not related to any memmove issue. Perhaps this is a configuration issue, or it may be related to the somewhat larger change in crypto/des/cfb_enc.c which introduced some new memmove() calls from 0.9.7b to 0.9.7c. crypto/des_cfb_enc.c was not including e_os.h which is mapping memmove() to bcopy() SunOS. This was reported with ticket #715 and is already fixed in CVS. Beste regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #774] problem installing openssl-0.9.4
[EMAIL PROTECTED] - Wed Nov 19 19:56:49 2003]: Hi, when i run ./config i get: Operating system: sun4u-sun-solaris2 ./config: test: unknown operator (GCC) OpenSSL-0.9.4 is outdated and buggy (including security issues). Please upgrade to 0.9.7c or at least to 0.9.6l. It may be the case that the old config script has problems on your system, but we do not care about 0.9.4 anymore. then on running make i get: making all in crypto... ( echo #ifndef MK1MF_BUILD; \ echo /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */; \ echo #define CFLAGS \cc -DTHREADS -D_REENTRANT -xtarget=ultra - xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM\; \ echo #define PLATFORM \solaris-sparcv9-cc\; \ echo #define DATE \`date`\; \ echo #endif ) buildinf.h cc -I. -I../include -DTHREADS -D_REENTRANT -xtarget=ultra -xarch=v8plus -xO5 - xs trconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c cryptlib. c sh: cc: not found You don't seem to have a C-compiler in your PATH... Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #772] 32/64-bit detection on HPUX 11.11
On Wed, Nov 19, 2003 at 09:50:41AM +0100, Richard Levitte - VMS Whacker via RT wrote: In message [EMAIL PROTECTED] on Wed, 19 Nov 2003 09:38:04 +0100 (MET), Andy Polyakov via RT [EMAIL PROTECTED] said: rt rt Now, the really cool thing would be if someone (you?) could provide us rt with some sh code that identifies 64bit HP/UX so we could set that up rt in the script 'config'. rt rt ??? 'config' tells apart 32- and 64-bit HP/UX kernels since long time rt ago. Look for 'getconf KERNEL_BITS'. Oh? So how come 64-bit people get a build that tries to go for 32-bit? What have we missed? I haven't looked yet, but I might tonight, if I remember... Actually the problem doesn't seem to be the kernel but the compiler used. The original requestor uses a gcc version 3.3.2. The 32/64 bit decision is made by running the GCC in question and looking for __LP64__ in the output (lines 410-418 in 0.9.7-CVS). Maybe running a 64bit compiler on a 32bit kernel does not correctly determine which target should be used. (Maybe it isn't a good idea anyway.) I suppose the original requestor (living in another timezone) can clarify this a bit later. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #772] 32/64-bit detection on HPUX 11.11
On Wed, Nov 19, 2003 at 12:28:18PM +0100, Andy Polyakov wrote: The IBM patch with the code in it is available, but it's too big to post to this list. Post it to openssl-team then:-) A. Even better: do post it to [EMAIL PROTECTED] RT will forward the message to the list but will strip the attachment and store it for download. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #748] bug in speed.c
[EMAIL PROTECTED] - Wed Oct 29 08:34:31 2003]: Hello! It's me agaig :) I change speed.c for benchmarking AES methods too. It was easy :) May be it will help you. Thanks, I have applied your changes to CVS. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #757] Missing ordinal
[EMAIL PROTECTED] - Mon Nov 17 14:49:59 2003]: Lutz Jaenicke via RT [EMAIL PROTECTED] said: Hmm. Between OpenSSL 0.9.6 and 0.9.7, the following change was made (see the corresponding util/libeay.num files): OpenSSL_add_all_algorithms 508 EXIST::FUNCTION: became OpenSSL_add_all_algorithms 508 NOEXIST::FUNCTION: If your version of wget was built against 0.9.6 and you are using a library built from 0.9.7 or later, this failure can be explained. I build everything from openssl-SNAP-20031103.tar.gz. BTW I assume this is the 0.9.8 snapshot, but having 5 snapshot is kinda confusing. OpenSSL_add_all_algorithms() is a macro in crypto/evp/evp.h so it AFAICS isn't added to the output according to the debug. perl util/mkdef.pl debug 32 libeay: #INFO::;#INFO::;#INFO::; DEBUG: $_=#define OpenSSL_add_all_algorithms() OPENSSL_add_all_algorithms_noconf() DEBUG: $def= however don't know what this would have to do with running detached (whatever this term might mean for Win32...) Running detached on Win32 is similar to prog .. on Unix/bash. My actual guess was some header/library inconsistency. Are you sure, that your binary(s) are compiled and linked against the correct header and library files? I have left the ticket open because your report indicated that the behaviour would depend on the way the application is called (detached or in foreground) for which I cannot offer any hint... Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #735] Makefile.org rev 1.154.2.63 breaks OpenServer 5
[EMAIL PROTECTED] - Mon Oct 20 15:20:21 2003]: In trying to build ethier the OpenSSL_0_9_7c or OpenSSL_0_9_7-stable branch on OpenServer 5 I discovered a change to Makefile.org that caused the build to fail. revision 1.154.2.63 date: 2003/05/29 22:20:55; author: levitte; state: Exp; lines: +2 -2 Have ASFLAGS be defined the same way as CFLAGS causes some assembler modules to not build ... If it was important to s/ASFLAGS/ASFLAG/ in Makefile.org, perhaps adding ASFLAGS= $(ASFLAG) to these makefiles would be in order. crypto/sha/Makefile.ssl crypto/ripemd/Makefile.ssl crypto/des/Makefile.ssl crypto/rc4/Makefile.ssl crypto/bf/Makefile.ssl Thanks. I have added the corresponding ASFLAGS setting to these files. Please test the next snapshot (or CVS). Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #759] [PATCH] openssl-0.9.6l Makefile typo
[EMAIL PROTECTED] - Wed Nov 12 09:01:22 2003]: There's a typo in the names for the shared object libraries under linux/390 which leads to libraries libcrypto.so.0,9.6 instead of libcrypto.so.0.9.6 being built. ... Thanks, patch applied. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #558] Patch Openssl 0.9.7a for AIX 5.2 to use /dev/urandom
[jaenicke - Wed Apr 30 15:46:39 2003]: [jaenicke - Mon Apr 28 10:56:55 2003]: I consider this to be a bug in the AIX 5.2 select() routine. Please file a bug report. In the meantime I have received information from Craig Anthony [EMAIL PROTECTED]. The AIX 5.2 implementation of select() cannot handle the /dev/[u]random devices and therefore fails. On 4 June 2003 a fix for this issue (APAR IY43851) will be available. The fix has been released in the meantime. I therefore close this ticket. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #766] minor bug in apps/apps.c
[EMAIL PROTECTED] - Sun Nov 16 12:01:29 2003]: Hello folks, there seems to be a minor bug in the pasword getter: Thanks, I have applied the change. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #757] Missing ordinal
[EMAIL PROTECTED] - Sun Nov 9 11:26:14 2003]: MingW / gcc 3.3.1 / Win-XP / OpenSSL 0.9.8-dev (29 Oct 2003) libeay32.dll is missing orinal 508 in it's export table. c:\ pedump libeay32.dll: exports table: Name:libeay32.dll Characteristics: TimeDateStamp: 3FA1832D - Thu Oct 30 22:31:25 2003 Version: 0.00 Ordinal base:0001 # of functions: 0DFB # of Names: 0B0F Entry Pt Ordn Name 1F90 1 SSLeay ... 0009E490 506 SHA_Init 0009DF70 507 SHA_Update 0007A8D0 509 OpenSSL_add_all_ciphers 0007AEA0 510 OpenSSL_add_all_digests When running a program (wget.exe) that uses the libeay32.dll in the normal way (or with start /min), no problems. But running detach wget http://.. or start /inv wget http://.. the Win32 loader complaints about missing ordinal 508. I have no idea how missing ordinals have anything to do with running detached (i.e. the shell starts the program in a hidden console). Hmm. Between OpenSSL 0.9.6 and 0.9.7, the following change was made (see the corresponding util/libeay.num files): OpenSSL_add_all_algorithms 508 EXIST::FUNCTION: became OpenSSL_add_all_algorithms 508 NOEXIST::FUNCTION: If your version of wget was built against 0.9.6 and you are using a library built from 0.9.7 or later, this failure can be explained. I however don't know what this would have to do with running detached (whatever this term might mean for Win32...) Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #756] URGENT!Apache and Openssl Update problem!!!
[EMAIL PROTECTED] - Fri Nov 7 09:14:32 2003]: Hi i have a sun cobalt RAQ XTR,i used BluelinQ from web management to update the Apache and SSL everything did properly and the message informed me to reboot the server to apply changes.after reboot the server,i couldn't see any web page on the system and i found that Apache was dead,i tried to start it but it showed a message like mod_auth_pam not found,i download source of it and compiled it by apxs command.but another message prompt me like site is invalid and i think it generates by SSL. i only could see the first page of management of sun cobalt and i can't do any management on system.how can i do,and what's the problem? also i can't generate certificate for SSL,it can't find 2 file bss_file.c and conf_lib.c,i downloaded them but doesn't work again.tell me whereever put these 2 files to work properly and generate certificate properly. Dear Sir, it seems that parts of your system have been messed up, but I do not see any relation to OpenSSL. I am not familiar with BluelinQ, but you should ask the people who provided the binary packages to to you for assistance. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #751] Problem with eNULL in 0.9.7c
[guest - Thu Oct 30 23:51:10 2003]: Using the null cipher is causing us some problems with 0.9.7c. Not sure how important this is but for one it causes at least one 0 byte malloc that causes efence to barf: #0 0x4032d5f1 in kill () from /lib/libc.so.6 #1 0x40017eb6 in EF_Abort () from /usr/lib/libefence.so #2 0x4001741a in memalign () from /usr/lib/libefence.so #3 0x40017a6e in malloc () from /usr/lib/libefence.so #4 0x401d9910 in default_malloc_ex (num=0, file=0x402ab1e7 evp_enc.c, line=151) at mem.c:79 #5 0x401d9fcc in CRYPTO_malloc (num=0, file=0x402ab1e7 evp_enc.c, line=151) at mem.c:304 #6 0x4022f48a in EVP_CipherInit_ex (ctx=0x4289af74, cipher=0x402c1cc0, impl=0x0, key=0x427d1000 Address 0x427d1000 out of bounds, iv=0x427d1000 Address 0x427d1000 out of bounds, enc=1) at evp_enc.c:151 #7 0x40185ced in ssl3_change_cipher_state (s=0x42227ef4, which=18) at s3_enc.c:334 #8 0x4018089e in ssl3_connect (s=0x42227ef4) at s3_clnt.c:382 #9 0x401911b6 in SSL_do_handshake (s=0x42227ef4) at ssl_lib.c:1827 #10 0x4019c419 in ssl_ctrl (b=0x4226bfc0, cmd=101, num=0, ptr=0x0) at bio_ssl.c:417 #11 0x4021df70 in BIO_ctrl (b=0x4226bfc0, cmd=101, larg=0, parg=0x0) at bio_lib.c:324 Hmm. From some research it seems, that some UNIX implementations of malloc() will return NULL on malloc(0) which indicates that we should have a look into this issue! Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #710] chmod 644 /usr/lib/pkgconfig
[EMAIL PROTECTED] - Wed Oct 1 14:46:51 2003]: Hi, Makefiles of 0.9.7c have a new line: chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig I believe you wanted to write chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc Thanks. An appropriate fix has already been checked in. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL request tracker downtime
Hi! As I have just been informed, the Internet connectivity of the university will be down due to major restructurings in the power supply system from Friday (05 Sep 2003) afternoon until Monday (08 Sep 2003) morning (central european daylight savings time). The OpenSSL request tracker hosted in Cottbus will therefore not be available over the weekend. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compile Hint +z for OpenSSL on HP-UX 10.20
On Mon, Aug 18, 2003 at 08:19:39PM -0700, Josh Chamas wrote: Hi, I recently ran into a problem building Crypt::SSLeay against perl 5.6.1 and openssl 0.9.7b on HP-UX 10.20. The problem was that for the standard cc compiler on that platform, the +z CC_FLAG needed to be added to the Makefile for the build of openssl so that it could build the shared library correctly for perl, which was also compiling modules with the +z flag. This seems to be a widespread complaint against the HP-UX CC compiler when building various cross project modules. It might be good to have that be a standard option when compiling openssl on HP-UX 10.2x. I cannot speak towards whether this problem exists on HP-UX 11. BTW, the original error message when building Crypt::SSLeay looked like: ld: Invalid loader fixup for symbol $0034001C. and perl was trying to compile Crypt::SSLeay like this: cc -c -I/usr/local/ssl/include -D_HPUX_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Ae -O -DVERSION=\0.51\ -DXS_VERSION=\0.51\ +z -I/opt/perl5/lib/5.6.1/PA-RISC1.1/CORE SSLeay.c Your observation is technically correct. However: the problem you describe only appears if Crypt:SSLeay is linked against a static libcrypto.a/libssl.a. By adding +z (or +Z), all modules inside libcrypto.a/libssl.a become relocatable and can be linked into a very large perl module. I would rather recommend to build shared libraries (HP-UX 10.20 is supported: I am using it myself :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #676] Small OpenSSL
On Thu, Aug 14, 2003 at 11:31:46AM -0600, Ahrens, David (David) wrote: Martin, Can you resend the attachment. I didn't receive it. I'm very interested in a smaller openssl library. Do you have any memory profiles, statistics on the amount of size reduction you were able to achieve? For the convenience of the mailing list readers, attachments are not forwarded but are only stored in the request tracker. You can download it from the ticket information for ticket #676 (right hand side at the bottom of Martin's message). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #665] Missing header file
On Thu, Jul 24, 2003 at 08:40:10AM +0200, Ron Whiteside via RT wrote: The krb5.h header file is missing from the tar ball openssl-0.9.7b. The krb5.h header file is part of the Kerberos suite. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #665] Missing header file
On Thu, Jul 24, 2003 at 03:08:42PM +0200, Ron Whiteside via RT wrote: I understand that. I think you could include a dummy header file: #define OpenSSL_NO_KRB5 The default is to build without KRB5 support. Related problems should only occur, if the user explicitly demands KRB5 support. What were your configuration options? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #665] Missing header file
On Thu, Jul 24, 2003 at 03:29:34PM +0200, Ron Whiteside via RT wrote: Standard Red Hat Linux 9 as shipped on their CD's. In this case I would recommend to send a bug report to Redhat; seems they do not have their dependencies set up correctly. The NO_KRB5 setting is contained in opensslconf.h if KRB5 support is not compiled in. If this does not hold on Red Hat Linux, their corresponding dependencies should be set, such that openssl-dev would require krb5-dev (or whatever the exact packages might be... gssapi??) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL0.9.7b communication problem with IE6.0
On Wed, Jun 11, 2003 at 11:53:04PM +0900, [EMAIL PROTECTED] wrote: I run SSL test server of OpenSSL0.9.7b by following command openssl s_server -www -cipher ALL:!RC4:@STRENGH I tried to browse this server by IE6.0. However IE6.0 shows error cannot display page . I capture packets of this commucation. ServerHello was completed with selected cipher-suite of TLS_RSA_WITH_3DES_EDE_CBC_SHA. So I guess the case of 3DES cipher-suite cause something wrong. Netscape7.02. goes well in the case of 3DES cipher-suite. Does anyone know something on this issue. Could you please retry with the -bugs option to s_server? It enables workarounds for well known bugs of other SSL implementations. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: possible problems with RAND_seed()
On Mon, Jun 09, 2003 at 04:41:01PM -0400, [EMAIL PROTECTED] wrote: I had a 32-bit application that was working fine, but when i compiled it as 64-bit, it started to fail. I was getting this error: PRNG not seeded. I read the documents and FAQ, and it states that the library needs to be seed with at least 128 bits (16 bytes?). I was seeding it with a 22 byte string. Like i said, this was fine in 32-bit mode, but not in 64-bit mode. I started using the RAND_status() function to check this out. I ended up just seeding it with twice the amount (32 bytes of data) and that was enough for the library. I didn't bother trying to find any bounds for it. Anyway, i thought you people might like to konw about this. Maybe the document doesn't properly reflect the implementation. Can you give more information about versions, platform etc? (As of 0.9.7, 32byte are required because AES with 256bit=32byte is integrated) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #636] Example in man page for BIO_new_bio_pair incorrect?
On Thu, Jun 05, 2003 at 07:52:00PM +0200, via RT wrote: The example in this man page shows the creation of a bio pair and then setting them as the io bios for an ssl object. It states that the internal bio is implicitly deallocated when SSL-free is called on the ssl object. This does not appear to be the case. In an application developed using this assumption it was found that bio buffer and the internal bio were leaked. The leak was cleaned up by manually deallocating the internal bio. Is this a implimentaion error or a documentaion bug? Hmm. I wrote the manual page and I am somehow convinced that it is correct. Whenever SSL_free() is called, the underlying BIO is also free()ed. As a BIO pair consists of 2 BIOs, only one BIO is freed automatically, the other one has to be handled by the application. Are you sure that both BIO objects are left after SSL_free()? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #615] New Mirror
[EMAIL PROTECTED] - Wed May 14 18:31:26 2003]: Dear OpenSSL Team we took the liberity and have created a mirror site for OpenSSL. It can be accessed at http://www.binarycode.org/openssl The mirror is being updated daily by cron and the server is located in Austin, Tx, United States. Thanks. I have added your entry to the list. It will show up in due course after the next automatic refresh of the OpenSSL web-site. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #616] SSL Certificates HOWTO on www.tldp.org
[EMAIL PROTECTED] - Wed May 14 21:02:54 2003]: http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_singl e/SSL-Certificates-HOWTO.html An SSL certiciates HOWTO has been released for a while on the www.tldp.org web site. This document explains how to use openSSL in many contexts. Thanks for your contribution. I have added the link. It will show up on the OpenSSL web-site after the next automated update run. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #628] md2test breaks with NO_MD2 config
[EMAIL PROTECTED] - Sun May 25 18:07:32 2003]: Hi, Sorry to be nagging again about compilation issues. I get the following error when trying to build with MD2 disabled: In file included from md2test.c:62: ../include/openssl/md2.h:63:2: #error MD2 is disabled. Moving line 63: #include openssl/md2.h To line 73 (after the #else) solves this. OpenSSL version is 0.9.7b, OS is Red Hat linux 7.2, (configured using ./Configure linux-elf ... no-md2 ...) After having called Configure with this option should have been asked to make depend. If you would have used make depend, the softlink in test/ would have been replaced with a new destination: dummytest.c. I have applied your proposed change anyway, as it reduced possible sources of errors. Is there a way I can be more helpful (e.g. send small corrections to small bugs instead of asking you to do it) without me having to install and learn CVS (sorry, working mainly on Windoze machines...)? Hmm. We gladly accept patches in unified diff (diff -u) format. :-) Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #625] Bug while building openssl-0.9.7-stable-SNAP-20030522 and openssl-SNAP-20030522
[EMAIL PROTECTED] - Fri May 23 09:50:04 2003]: openssl-0.9.7-stable-SNAP-20030522 and openssl-SNAP-20030522 can't build under WindowsXPsp1 with VisualStudio2003 because there's un uncompatibility signed/unsigned in crypto/bn/bn_mul.c line 709 for SNAP, and line 379 for stable-SNAP Fixed by Richard on 28-May-2003 (RT #625 not included in the commit log). Thanks for your submission, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #613] openssl c_client -starttls pop3
[EMAIL PROTECTED] - Sun May 11 10:13:19 2003]: Here is tiny whack to allow c_client to communicate with TLS enables POP3 server. See patch attached. Thanks for your submission. I have added you patch to both the stable (0.9.7) and the development (0.9.8) tree. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #604] openssl timeout problem
[EMAIL PROTECTED] - Fri May 2 15:27:29 2003]: Hi By a mistake trying out openssl s_client -connect ip:5000 against a windows XP system it hangs for a looong time before it timeouts. Is it possible to set a timeout function or this would be a good thing to add? Openssl s_client is an example implementation of client functionality. It does not provide all options with bells and whistles or to perfection. Timeout options are not provided by the basic openssl library. Timeouts are either provided by the underlying transport (TCP stack and/or kernel) or by the application using non-blocking behaviour and select(). The openssl s_client example application does not implement the latter and there are no plans to add it. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #623] Problem make clean
[EMAIL PROTECTED] - Sun May 25 09:42:02 2003]: On Fri, 23 May 2003, Lutz Jaenicke via RT wrote: I think my machine has a decent set of patches but as I don't have root access I cannot really verify that. Do you think you can do getconf ARG_MAX and getconf LINE_MAX on your machine such that I can see if this is indeed the problem? serv01 24: getconf ARG_MAX 20478 serv01 26: getconf LINE_MAX 2048 Best regards, Lutz Hi Lutz, I think this must mean there is something wrong with my workstation or my setup. I have exactly the same values as you so this cannot be the limiting factor. Perhaps there is a patch which is missing. Hmm. I have no more specific ideas. I did dig out the following: PHKL_10176: The internal buffer within the kernel was created with a length of 20480 bytes, with no provision for increasing its size. This patch provides for up to 100 such buffers, with all but the first allocated only if required (that is, if more than 20480 bytes of argv/env information is found). Thus, exec() now supports up to 2048000 bytes of argv/env information. However: this patch has long been superseeded by PHKL_16750 (and other later versions of this patch)... Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #558] Patch Openssl 0.9.7a for AIX 5.2 to use /dev/urandom
On Mon, Mar 31, 2003 at 10:54:31AM +0200, [EMAIL PROTECTED] via RT wrote: Since 5.2 AIX supports /dev/random and /dev/urandom. Openssl don't use it because the select system call works different on AIX than on linux. As described in the following URL, the select system call expects the number of file describtors as first parameter in AIX. Linux expects the highst numbered fd +1. http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/commtrf1/select.htm Are you sure? select() is around since UNIX exists, that means the early 70s, maybe longer. I am not that good when it comes to UNIX history :-) I would not believe that IBM would break more or less all programs by chaning the select() API in an incompatible way. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #553] Attn: ANTI VIRUS 2003 CLEARANCE SALE!
On Thu, Mar 27, 2003 at 08:47:14PM +0100, Christie Barr via RT wrote: [SPAM] Spam-protection measures habe been adjusted. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #547] SSL_CTX_free messes with external session cache
[EMAIL PROTECTED] - Wed Mar 26 20:14:51 2003]: I noticed that SSL_CTX_free() takes all the sessions in the given CTX's internal session cache, and also removes them from the external session cache (i.e., calls the delete-session callback). Thanks. I have added a slightly modified warning to the manual pages. Ticket should stay around until a final technical solution is found as the current behavious does not make too much sense :-) Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #545] Problem while compiling openssl 0.49.4
[EMAIL PROTECTED] - Tue Mar 25 15:30:45 2003]: Hi, i've a problem compiling open ssl o.9.4. See the following output: YA7:ffpbld : /eu/ffp/archive/src/openssl-0.9.4 make making all in crypto... make[1]: Entering directory `/eu/ffp/archive/src/openssl-0.9.4/crypto' ( echo #ifndef MK1MF_BUILD; \ echo /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */; \ echo #define CFLAGS \cc -O\; \ echo #define PLATFORM \cc\; \ echo #define DATE \`date`\; \ echo #endif ) buildinf.h cc -I. -I../include -O -c -o cryptlib.o cryptlib.c make[1]: execvp: cc: Zugriff verweigert make[1]: *** [cryptlib.o] Error 127 make[1]: Leaving directory `/eu/ffp/archive/src/openssl-0.9.4/crypto' make: *** [all] Error 1 As has been discussed on the mailing list, this problem is caused by the permissions on the build system. There is nothing OpenSSL can do about it. This ticket is therefore closed. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #502] TXT_DB error number 2
[EMAIL PROTECTED] - Fri Feb 14 09:17:53 2003]: and aftre the last command I obtain (actually it was the last command to do): Certificate is to be certified until Feb 14 06:46:00 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 TXT_DB error number 2 is a DB_ERROR_INDEX_CLASH. This occurs, if the same serial number shall be used twice. Did you solve your problem in the meantime? Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #508] Out of memory for assertion propagation
[EMAIL PROTECTED] - Sat Feb 15 13:43:01 2003]: testlog maketest.log make.log Hello- I am having an error trying to load SSL on a HPUX10.20 system. Any help would be appreciated. Hmm. I use OpenSSL on HP-UX 10.20 myself. $ configure -t Operating system: 9000/889-hp-hpux10 Configuring for hpux-parisc2-cc /usr/bin/perl ./Configure hpux-parisc2-cc -D_REENTRANT $ configure Hmm. For the record: my target is hpux-parisc-cc. $ make ... cc -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL -DOPENSSL_NO_KRB5 -DOPENSSL_NO_ASM -D_REENTRANT +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -c ectest.c cc: main(): error 6350: Webs: Out of memory for assertion propagation. (6348) *** Error exit code 1 Stop. *** Error exit code 1 This seems to be a compiler or system problem to me. Normally HP's C compiler is not very memory intensive, except for very high optimization levels. The default data segment size is 64MB which may be to small for some compile jobs. This is a kernel tunable parameter. What is the current status of your problem? Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #543] Valid trick to reduce session object's size?
On Wed, Mar 19, 2003 at 07:40:37PM +0200, Nadav Har'El wrote: I can understand why a general-purpose server might want to keep those certificate around for session resumptions, but for my purposes (and probably for the purposes of many other people), this is completely unnecessary: once the client is verified to be authorized to use the tunnel, I no longer care to remember any details of who this specific client is. I think I found a solution for this, but I'm not sure how safe is what I've done so I'd appreciate comments, or ideas on how to do this better. My idea is that after the handshake completes successfully (and the client is authenticated) we can free the peer certificates. We must do it before a copy of the session is saved in the external session cache, so the proper place to do it is in the new-session callback (see SSL_CTX_sess_set_get_cb(3)) which is called right after a handshake completes and when the session is ready to be put in the external session cache. As far as I can see, there is no problem with your approach. One obvious downside is, that you lose the information about the client (but you already said that you don't care). The other downside is, that you don't know whether the client authenticated at all. This is no problem as long as all clients have to authenticate anyway. In a mixed client auth/anonymous setup, you will no longer be able to distinguish the sessions. Hmm, well, that could be achieved with the session ID context, if handled carefully... But how do I free the peer certificate? One thing was farely obvious - I did if(s-session-peer){ X509_free(s-session-peer); s-session-peer=0; } Which frees the client's certificate. I believe this is safe to do from the new-session callback (but I'd appreciate any comments), and it makes the memory use of the external session cache much smaller (in my case). People should not mess around with internal data structures. But there is now API, so this is the only way to do it, ... However, I noticed there's another field that contains certificates coming from the clients: s-session-sess_cert-cert_chain. I thought it contains the rest of the certificate chain (all except the last one, which is put in s-session-peer), and that it could be freed safely as well. But Hmm. Do you use internal or external session caching? The cert_chain is not maintained when storing to the external session cache; thus it is only a problem if you are talking about a large internal cache. In fact, it would have been nice if it were possible to turn on a flag for OpenSSL, which will tell it that it can discard the client certificate (and everything related to it) immediately after its verification. I didn't see such an option existing. There is no such option. And I indeed believe, that it is a more or less unusual request (typically people are interested in obtaining the information about the peer, as this is what authentication is about). That does not mean, that one could not implement it, if there is enough public interest... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #533] small OpenSSL
On Tue, Mar 11, 2003 at 06:51:48PM +0100, rajagopalan ramanujam via RT wrote: I think there are no attachements.. (smallOpenSSL.tar.gz) The request tracker does not send out attachements. You can download them from the corresponding ticket using the web-interface. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #533] small OpenSSL
On Tue, Mar 11, 2003 at 01:35:05PM -0500, Bill Pringlemeir wrote: Lutz == Lutz Jaenicke [EMAIL PROTECTED] writes: rajagopalan ramanujam via RT wrote: I think there are no attachements.. (smallOpenSSL.tar.gz) Lutz The request tracker does not send out attachements. You can Lutz download them from the corresponding ticket using the Lutz web-interface. I tried, http://marc.theaimsgroup.com/?l=openssl-devm=104739662621339w=2; It doesn't show up on the other web interfaces of the mailing list either. I also went to www.openssl.org, but I didn't find an RT tracker link... I then found an OpenSSL RT Tracker via google at I meant the web interface of the request tracker. The mailing list archive can only offer what was sent to the list, therefore... Anyway, somewhere obviously well hidden there is http://www.openssl.org/support/rt2.html http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=533; The tar.gz can be found here, http://tinyurl.com/79s3; or http://www.aet.tu-cottbus.de/rt2/Ticket/Attachment/3941/2567/smallOpenSSL.tar.gz; I hope the owner of www.aet.tu-cottbus.de is ok with this... As you might have noted, I am @aet.tu-cottbus.de, so you might have a guess on who is operating OpenSSL's request tracker :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #378] building without md5
[levitte - Wed Dec 4 21:19:17 2002]: MD5 is one of those algorithms that's used so much it isn't easy to disable. However, you only had problems in two files with it, we're apparently doing fine. I'll investigate and get back to you. Hmm. In ssl/s3_srvr.c it seems, that both digest lengths will be pretty hard to replace... Best regards, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Configure/make bug in 0.9.7
On Wed, Feb 05, 2003 at 04:41:55PM +, Andrew Walrond wrote: When building on a machine without krb5... ./config --prefix=/usr --openssldir=/etc/ssl threads make -j2 make install ..everything works fine. However if we add the shared config option... ./config --prefix=/usr --openssldir=/etc/ssl threads make -j2 make install ..It dies trying to build some krb5 stuff... making all in crypto/krb5... make[2]: Entering directory `/tmp/ftl-17875/openssl-0.9.7/crypto/krb5' gcc -I.. -I../.. -I../../include -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTER\MIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o krb5_asn.o krb5_asn.c ar r ../../libcrypto.a krb5_asn.o /usr/bin/ranlib ../../libcrypto.a make[2]: Leaving directory `/tmp/ftl-17875/openssl-0.9.7/crypto/krb5' make[1]: Leaving directory `/tmp/ftl-17875/openssl-0.9.7/crypto' make: *** [sub_all] Error 1 Hmm. I cannot see any error message, only that make seems to detect an error end exits. Hmm. Can you retry make with only one job at a time in order to catch any error messages!? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem / unwanted behavior with SSL server and CA certs
On Thu, Feb 06, 2003 at 07:42:39PM +0100, Götz Babin-Ebell wrote: Hell folks, there seems to be a strange behavior with CA certificates in SSL server: I create a SSL_CTX for a server, set the certificate and the private key and add some CA certificates for client auth. with SSL_CTX_add_client_CA(). (I don't set a server CA certificate, but in the list of client CA certificates are 2 certificates with a DN that matches the issuer DN of the server certificate) But opening a SSL conection, my server still sends a CA certificate. How can I prevent the server from sending the root CA ? With the current API it is not possible to influence this behaviour: if the cert chain is incomplete, the library will automatically try to round up from the store of trusted CAs. So the only way to create reproducable results is to define the complete chain using SSL_CTX_use_certificate_chain()... Hmm. I vaguely remember a report quite some time ago, that in a similar situation the wrong CA certificate could be picked and thus an invalid chain might be created... If this also happens in your case, please file a bug report to [EMAIL PROTECTED] Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #359] Calling SSL_read and SSL_write with non-empty error stack may cause an error
On Thu, Jan 30, 2003 at 10:09:22PM +0100, Richard Levitte via RT wrote: Any more thoughts on this issue? The problem is not yet solved. Using the global error stack as error indicator instead of correctly passing state back via return values is a design flaw. It happend to make problems in the past. I am currently busy as hell, so I will probably not be able to fix it over the next days. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ASN1_TIME inconsistent function behaviour
On Tue, Jan 14, 2003 at 12:14:52PM +0100, [EMAIL PROTECTED] wrote: The following code results in an ASN1_TIME structure with internal length field of 14. date = ASN1_TIME_new(); ASN1_GENERALIZEDTIME_set_string(date, 20020819093712); When extracting time out an existing certificate however with this date/time would result in a length of 15. ASN1_GENERALIZEDTIME *gentime = ASN1_TIME_to_generalizedtime (X509_get_notBefore(cert), NULL); Consequently ASN1_STRING_cmp(date1, date2) fails, although the strings are exactly the same, 14 characters that make up the date followed by \0. Have I missed something or is there a bug somewhere? Please check out http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=429 If this covers your problem, it should be fixed in recent snapshots. If it is not, please file a bug report to [EMAIL PROTECTED] Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #436] openssl-0.9.7 inconsistency error
[jaenicke - Wed Jan 15 12:30:08 2003]: Any new information? No response for another week. I therefore close the ticket. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #434] duplicate execution of callback with non-blocking SSL_accept
[jaenicke - Wed Jan 15 12:28:24 2003]: [[EMAIL PROTECTED] - Fri Jan 3 08:21:38 2003]: When a non-blocking SSL_accept() returns -1 with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE set, the appropriate thing to do is to call SSL_accept() again. I have analyzed your request. For me it seems, that s3_srvr.c already contains all the code necessary: the certificate is verified only once by ssl3_get_client_certificate() which is handled by its own state. It calls ssl_verify_cert_chain(), which performs the verification of the complete chain in one operation without being influenced by a blocking or non-blocking setup. I am using a non-blocking setup myself in Postfix/TLS and did not observe the verify_callback() being called twice for the same purpose. According to my research, the behaviour matches the documentation and the verify_callback() is not called more often than necessary. As no new information came in with respect to this issue, I suppose that the problem was a misunderstanding of the expected behaviour. - Ticket resolved. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Checking CRL
On Thu, Jan 16, 2003 at 11:38:40AM +0100, p b wrote: Thanks to openssl.org, and Lutz, I have made a client server connection using DH for key negotiation, and RSA for checking both client and server. Of course I would like to check the CRL (I use openssl 0.9.7) I have made an AC certificate, 3 client's certificates; the 3rd is now invalid in the CRL. I have a .pem file including both AC certificate and CRL. I use the SSL_CTX_load_verify_locations function to load the AC cert and CRL. I use store = SSL_CTX_get_cert_store(ssl_ctx); X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK) in order to check the CRL. (as made in the s_client utility) But even if I use a valid cert (number 1) or the invalid cert (number 3) for the client, The server message is: error:14094418:lib(20):funct(148):reason(1048) The client message is: error:14090086:SSL routine:SSL3_GET_SERVER_CERTIFICTATE:certificate verify failed What should I do ? Carefully read the messages displayed :-) The client is complaining about the server certificate: certificate verify failed. (You need to check the verify_result to learn more about the reason.) The server says: serv01 22: openssl errstr 14094418 error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Therefore: it is the client that is unhappy with the server's certificate and thus stops the negotiation. This takes place before the client certificate is even sent... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #461] Minor makefile/ranlib problem in crypto/{engine krb5ocsp ui}
[[EMAIL PROTECTED] - Thu Jan 16 18:06:21 2003]: OpenSSL version: 0.9.7 Platform: HP-UX 11.00 Severity: Minor Hello, I just rebuilt OpenSSL 0.9.7 on several platforms (OpenVMS, Solaris, Linux, HP-UX, WinNT). The make failed on HP-UX due to a minor problem in the following four makefiles (all new in 0.9.7 AFAIK): crypto/engine/Makefile.ssl crypto/krb5/Makefile.ssl crypto/ocsp/Makefile.ssl crypto/ui/Makefile.ssl In these makefiles, ranlib is invoked using the following command: $(RANLIB) $(LIB) This should be replaced by: $(RANLIB) $(LIB) || echo Never mind. Thanks. I have made the changes similar to those in the other subdirectories. /usr/ccs/bin/ranlib ../libcrypto.a /usr/ccs/bin/ranlib: /usr/ccs/bin/ranlib: Cannot find or open the file. You seem to have transition links installed, don't you? /usr/bin/ranlib - /usr/ccs/bin/ranlib but you seem to be missing ranlib completely. This seems to be pretty unusual, as nobody else reported this problem. On HP-UX 10.20 I do have the transition link and a dummy ranlib telling that ranlib is not needed anymore... Ticket resolved, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #377] SSLv2 Session ID bug
[[EMAIL PROTECTED] - Fri Jan 3 13:06:10 2003]: Thanks. Your analysis is correct. I have just checked in an according patch, resolving the ticket. Unfortunately it still does not appear (version 0.9.7) to be working correctly: $ openssl s_client -reconnect -ssl2 -connect www.openssl.org:443 fails with: 1485:error:1406C0E7:SSL routines:GET_SERVER_FINISHED:ssl session id is different:s2_clnt.c:1030: c the error appears to be at line 1024, which needs a 'buf+1' rather than 'buf Thanks. I did run my tests with the -bugs option which masked this error. I have checked in the according change. Best regards, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DH and RSA for TLS
On Wed, Jan 15, 2003 at 11:50:33AM +0100, p b wrote: I use openssl 0.9.7 I made a client - server connexion, and I would like to use TLS with RSA and DH for key negotiation. When I use AES128-SHA as cipher parameter, it works. But when I set cipher list with DHE-RSA-AES128-SHA parameter, it doesn't. I added SSL_CTX_set_options(ssl_ctx,SSL_OP_SINGLE_DH_USE | SSL_OP_EPHEMERAL_RSA ); But the result is no shared cipher Which params may I use, or which function may I added in order to allow the key negotiations using DH EPHEMERAL_RSA has nothing to do with your problem and it is not recommended as it violates the TLS protocol. (If it is required by the protocol, it is used automatically with or without this option.) Did you check, whether all requirements are fulfilled? DHE-RSA needs: * RSA keys * DH parameters * random numbers If the PRNG would not be seeded, the error message would be different and if the RSA keys would be missing, AES128-SHA would be failing as well. This leaves missing DH parameters... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #434] duplicate execution of callback with non-blocking SSL_accept
[[EMAIL PROTECTED] - Fri Jan 3 08:21:38 2003]: When a non-blocking SSL_accept() returns -1 with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE set, the appropriate thing to do is to call SSL_accept() again. This is fine, but the current state machine in ssl3_accept() doesn't seem to keep track of the fact that the callback may have succeeded already, causing the callback to be called again when SSL_accept() is retried. Is there some way around this that I'm missing? If not, wouldn't it be desirable to add something like this to the state machine in ssl3_accept()? I'm sure there are some cases where the callback should be called again (renegotiations, for example). I have analyzed your request. For me it seems, that s3_srvr.c already contains all the code necessary: the certificate is verified only once by ssl3_get_client_certificate() which is handled by its own state. It calls ssl_verify_cert_chain(), which performs the verification of the complete chain in one operation without being influenced by a blocking or non-blocking setup. I am using a non-blocking setup myself in Postfix/TLS and did not observe the verify_callback() being called twice for the same purpose. However: the verify_callback() can be called several times during the certificate chain verification. It is called at least once for each certificate in the chain (even in case of success) and may be called more than once per certificate for different verification failures (e.g. certificate expired, signature failure, etc). Did you make sure, that your report is not caused by the latter behaviour? Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #436] openssl-0.9.7 inconsistency error
Any new information? [jaenicke - Thu Jan 9 09:00:58 2003]: On Thu, Jan 09, 2003 at 05:01:37AM +0100, [EMAIL PROTECTED] via RT wrote: Is there something I can do, use a different file? Any help? Thanks much. Hmm. Actually this should not happen at all. Your c compiler picks up the wrong file. I actually remember reading a comment somewhere, that some gcc versions during build provide fixed copies of header files in their corresponding gcc-lib paths. You should search your system for copies of the offending file. (Actually, this should rather not happen, as local header files in destinations specified with -I should always be searched first. As you wrote, that you successfully used config, these local paths should be set up correctly.) Another way is to step into the corresponding subdirectory and call gcc manually with the paths specified (-I) and using the -E option: In this way all only the preprocessor is called and the files included are listed as they are processed. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : DH and RSA for TLS
On Wed, Jan 15, 2003 at 01:27:58PM +0100, p b wrote: I use now the DH-RSA-AES128-SHA cipher. I have made a .pem file with my DH parameters. I load them using the PEM_read_DHparams function. HOW DO YOU PUT THOSES PARAMETERS IN THE SSL_CTX (if needed)? man SSL_CTX_set_tmp_dh_callback Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #450] openssl-0.9.7 not building with ncr-scde
[[EMAIL PROTECTED] - Fri Jan 10 21:07:58 2003]: i try building openssl-0.9.7 on an ncr server using ./Configure ncr- scde ( uname -a: cti1dev cti1dev 4.0 3.0 3360,3430-R Pentium(TM)-MCA login info: Welcome to the NCR MP-RAS SVR4 UNIX System UNIX System V Release 4.0 (cti1dev) (pts/0) ) and i get the following linker errors (unresolved symbols): ... Undefined first referenced symbol in file strcasecmp ca.o ftime speed.o Tim Rice recommended you to use -lresolv -lc89. Did you find out in the meantime, whether -lc89 would have been sufficient, such that I can add it to the Configure entry? Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #459] [bug] DSA BN_init() bugs in 0.9.6h and 0.9.7
[[EMAIL PROTECTED] - Wed Jan 15 12:12:43 2003]: Ivan D Nestlerode via RT wrote: In OpenSSL 0.9.6h, there are a couple of BN_init() bugs in crypto/dsa/dsa_ossl.c. The BN_init() calls in question are in the functions: ... The same bug is in the ecdsa code in 0.9.8-dev (see attached patch for the latest snapshot (== openssl-SNAP-20030114.tar.gz)). Patch applied, ticket resolved, thanks. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #450] openssl-0.9.7 not building with ncr-scde
[[EMAIL PROTECTED] - Wed Jan 15 17:27:58 2003]: ... -lc89 is sufficient Thanks. I have added -lc89 to the ncr-scde target. Ticket resolved. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #426] HP-UX build problems with 0.9.7
On Tue, Dec 31, 2002 at 01:21:09PM +0100, Marko Asplund via RT wrote: 2) error messages during 'make depend' when not using gcc and makedepend is installed on the system (HP Ansi C Developer's Bundle, imake package). seems like this version of makedepend is not supported. maybe Configure should check that the system makedepend is suitable for building OpenSSL before using it. ... ../util/domd .. -MD makedepend -- -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL -DOPENSSL_NO_KRB5 -DOPENSSL_NO_IDEA +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -I. -I.. -I../include -DOPENSSL_NO_IDEA -- cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c cryptlib.c:433: !defined(_POSIX_C_SOURCE) || (_POSIX_C_SOURCE 199309L) ^--- expecting ) Hmm. I have tried to reproduce this behaviour on HP-UX 10.20. serv01 21: which makedepend /opt/imake/bin/makedepend serv01 23: what /opt/imake/bin/makedepend /opt/imake/bin/makedepend: X Window System, Version 11 R6+ HP-UX B.10.20.00 January 2001 Patch Release (build date: Mon Jan 22 19:09:38 IST 2001) The CFLAGS seem to be passed properly... -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #426] HP-UX build problems with 0.9.7
On Tue, Jan 14, 2003 at 05:12:19PM +0100, Marko Asplund via RT wrote: this is what 'what makedepend' said on my system (at the time of the above report): 109] % what /opt/imake/bin/makedepend /opt/imake/bin/makedepend: X Window System, Version 11 R6+ HP-UX B.11.00.00 +O2 (build date: Wed Sep 17 02:43:56 PDT 1997) i just searched ITRC and found that this was a known problem which PHSS_22947 patch would fix. here's a quote from the patch README: 12. While parsing int literals, L suffix is not handled correctly by makedepend. http://www4.itrc.hp.com/service/patch/patchDetail.do?patchid=PHSS_22947context=hpux:800:11:00 installation of this patch does make the makedepend error messages go away. Ok. Therefore: 1) (hpux-parisc2-cc no-asm) seems to be a compiler/optimizer bug. I have added an appropriate remark to the PROBLEMS file. 2) makedepend problem on HP-UX 11 is fixed by installing patch PHSS_22947 3) (parisc2.s contains code that is position independent) is resolved by a change checked in by Andy Polyakov. I therefore close this ticket now. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #434] duplicate execution of callback with non-blocking SSL_accept
[[EMAIL PROTECTED] - Fri Jan 3 08:21:38 2003]: When a non-blocking SSL_accept() returns -1 with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE set, the appropriate thing to do is to call SSL_accept() again. This is fine, but the current state machine in ssl3_accept() doesn't seem to keep track of the fact that the callback may have succeeded already, causing the callback to be called again when SSL_accept() is retried. Is there some way around this that I'm missing? If not, wouldn't it be desirable to add something like this to the state machine in ssl3_accept()? I'm sure there are some cases where the callback should be called again (renegotiations, for example). Any ideas? You are talking of the verify callback? Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #433] 0.9.7 compilation problem with Borland C++ 5.5
[[EMAIL PROTECTED] - Fri Jan 3 06:45:12 2003]: I'm trying to compile 0.9.7 with Borland C++ 5.5 and NASM 0.98.35 on Windows XP Professional SP1 with all updates. I did perl Configure BC-32 no-idea no-mdc2 no-rc5 ms\do_nasm make -f ms\bcb.mak It fails at: bcc32 -otmp32\x_all.obj -Iinc32 -Itmp32 -DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -O2 -ff -fp -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_NO_IDEA -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5 -c .\crypto\x509\x_all.c .\crypto\x509\x_all.c: Error E2450 .\crypto\x509\x_all.c 72: Undefined structure 'ASN1_ITEM_st' in function X509_verify Error E2450 .\crypto\x509\x_all.c 72: Undefined structure 'ASN1_ITEM_st' in function X509_verify ASN1_ITEM_st was added in OpenSSL 0.9.7. It therefore seems, that old header files are picked up. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #431] Help
[[EMAIL PROTECTED] - Thu Jan 2 13:14:21 2003]: Hello, I would configure and install a certification from openssl for Windows 2000 IIS. This is not a bug or enhancement report with respect to the OpenSSL package. Please ask your question on the openssl-users mailing list. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #408] Segmentation Fault (openssl-0.9.7-beta6)
[levitte - Fri Dec 20 09:28:56 2002]: Looks to me like everything was successful, really, even index.txt is up to date. Do you have the possibility to debug and find out exactly where the segfault happened? [[EMAIL PROTECTED] - Wed Dec 18 17:22:44 2002]: While executing the following command, openssl gave a segmentation fault. I am using openssl-0.9.7-beta6. I am also attaching the index.txt, openssl.cnf, newcert.pem, and newreq.pem files. % openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem ... Changes were made in ca.c with respect to PR#430 which also dealt with a segmentation fault. Can you reproduce the problem with 0.9.7 release? If you can reproduce it, does it still appear with the latest 0.9.7a development snapshot? Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #436] openssl-0.9.7 inconsistency error
On Thu, Jan 09, 2003 at 05:01:37AM +0100, [EMAIL PROTECTED] via RT wrote: Is there something I can do, use a different file? Any help? Thanks much. Hmm. Actually this should not happen at all. Your c compiler picks up the wrong file. I actually remember reading a comment somewhere, that some gcc versions during build provide fixed copies of header files in their corresponding gcc-lib paths. You should search your system for copies of the offending file. (Actually, this should rather not happen, as local header files in destinations specified with -I should always be searched first. As you wrote, that you successfully used config, these local paths should be set up correctly.) Another way is to step into the corresponding subdirectory and call gcc manually with the paths specified (-I) and using the -E option: In this way all only the preprocessor is called and the files included are listed as they are processed. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #430] segementation fault with openssl 0.9.7
On Thu, Jan 09, 2003 at 01:52:22AM +0100, Stephen Henson via RT wrote: Running under a debugging malloc library causes a crash earlier on with a double free error on something which is only freed once. Very odd... What platform is this on? Does anyone else get a crash with: openssl ca -infiles Linux: crash HP-UX 10.20: no crash when built normally, but with efence: serv01 55: ./openssl ca -infiles Electric Fence 2.0.1 Copyright (C) 1987-1993 Bruce Perens. Using configuration from /usr/local/ssl/openssl.cnf I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory ElectricFence Aborting: free(79e13fe4): address not from malloc(). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: OpenSSL_0_9_7-stable: openssl/apps/ ca.c
On Thu, Jan 09, 2003 at 02:05:58PM +0100, Dr. Stephen Henson wrote: OpenSSL CVS Repository http://cvs.openssl.org/ Server: cvs.openssl.org Name: Dr. Stephen Henson Root: /e/openssl/cvs Email: [EMAIL PROTECTED] Module: openssl Date: 09-Jan-2003 14:05:58 Branch: OpenSSL_0_9_7-stable Handle: 2003010913055700 Modified files: (Branch: OpenSSL_0_9_7-stable) openssl/appsca.c Log: NULL tofree when it is freed to avoid double free. Make sure key is not NULL before freeing it. Solves PR#430 for me. (HP-UX 10.20 with Efence) +#include dmalloc.h + This probably shouldn't go into the release :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #438] SCEP support
On Tue, Jan 07, 2003 at 11:26:41PM +0100, Massimiliano Pala via RT wrote: forgive my ignorance but I am not at ease with your methods. You assigned me this number but what about your impression about the SCEP support integrated into OpenSSL ? The ticket number was automatically assigned by the request tracker. Unfortunately nobody of the team yet took the time to look into your proposal. I am not familiar with SCEP (yet), however would consider it a worthful addition to the OpenSSL toolkit. I hope you are for it, but am not sure what I have to do now. Do I have to do all the integration work by myself and post it as a patch against the 0.9.7 or can we discuss of the work (i.e. I have the code almost working as a standalone command, but I guess the best integration method could be having a new scep directory within the crypto one and the scep.c in the apps directory) and where to put the code ? Separating the code into library functions and the command line utility sounds good. This way the functions could be used by other applications linking against libcrypto. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #443] gcc warning on dsl_dl.c function dl_load for OpenSSH 0.9.7 on HP- UX 11.0
On Tue, Jan 07, 2003 at 10:24:57PM +0100, Reiter, Robert W via RT wrote: FYI ... possibly insignificant, but the following fragment from output of running make shows the sole warning message that was generated during a build/compile of OpenSSH 0.9.7 on an HP-UX 11.0 machine today, and I thought it worth reporting since other compiler warnings have been reported, but nothing regarding the dsl_dl.c function dl_load ... making all in crypto/dso... gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -DDSO_DL -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -D_REENTRANT -O3 -DB_ENDIAN -DBN_DIV2W -c dso_dl.c dso_dl.c: In function `dl_load': dso_dl.c:129: warning: passing arg 3 of `shl_load' makes integer from pointer without a cast The third argument shouldn't have been the NULL-pointer but 0L. The two values are actually identical, so functionality was not affected. Fix checked in and ticket closed. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #436] openssl-0.9.7 inconsistency error
[[EMAIL PROTECTED] - Sat Jan 4 15:13:09 2003]: Yes, sorry about that. I am running the most recent version of Slackware Linux. I am running Apache webserver and looking to run secure webpages from the server. I have the folder with the openssl and I can run config fine, had to add full permissions to the folder, but when I run Make I get that error. I enclosed a screen shot of what I get. I do appreciate your help, thanks much. Hmm. I don't now what should be causing the problem. It seems that somehow a wrong header file is being used. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #377] SSLv2 Session ID bug
[[EMAIL PROTECTED] - Fri Jan 3 13:06:10 2003]: Unfortunately it still does not appear (version 0.9.7) to be working correctly: $ openssl s_client -reconnect -ssl2 -connect www.openssl.org:443 fails with: 1485:error:1406C0E7:SSL routines:GET_SERVER_FINISHED:ssl session id is different:s2_clnt.c:1030: c the error appears to be at line 1024, which needs a 'buf+1' rather than 'buf I have reopened the ticket, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #436] openssl-0.9.7 inconsistency error
On Sat, Jan 04, 2003 at 01:09:07AM +0100, via RT wrote: after completing ./config and make i get : cryptlib.c:109: #error Inconsistency between crypto.h and cryptlib.c make[1]: *** [cryptlib.o] Error 1 Do you have any more information, like operating system etc.? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]